sb-nz logo
Story image

Okta: Reclaiming control over digital identity

20 Feb 2019

Article by Okta APAC vice president Graham Sowden

The data reckoning arrived last year when news of Facebook’s major breach hit the headlines.

The repercussions went far beyond the social media giant, because social authentication is used with thousands of connected apps.

Diligent consumers rushed to reset their passwords, unlink services from Facebook, and even close their accounts.

But from the chaos, bigger questions emerge: What is a digital identity? Who is responsible for that information? And what rights do digital citizens have?  

While they didn’t necessarily set out to be the custodian of millions of individuals’ personal data, it’s become clear that social media companies, including Facebook, Google and LinkedIn, are in that position today.

When news of the Cambridge Analytica scandal broke, Facebook users the world over felt betrayed. Most people didn’t know their personal data - information they thought was shared privately with friends and loved ones - was being given to third-party companies.

Through social authentication, Facebook’s data breach could have far-reaching ramifications, as users’ digital identities have potentially been compromised in the plethora of apps they permit Facebook to access.

This is not a unique issue to Facebook: similar concerns were raised by a bug in the Google+ network, though it’s not confirmed that any personal information was actually exposed or used by attackers.

A continuous stream of headlines questioned what exactly had happened to Facebook’s shared user data, yet there hasn’t been a wider push to fully understand how much personal information is out there in the ether, and how it’s all interconnected.

Users urgently need a better understanding of their digital identity, and greater control.

First, it’s important to consider what defines personal information.

Most people fear exposing credit card numbers the most.

And while that’s valuable, it’s not personal.

A credit card number is an identifier that matches a consumer to their banking information.

Think of a postage tracking number: it’s better to have control of it, but it's not that concerning if someone else has access to it.

Other identifying numbers, including credit card numbers, driver’s licenses and tax file numbers, should be thought of in the same way.

As people have increasingly complex interactions online, sharing how they think and what they do on the internet, the world has entered a different era than the one in which passwords or PINs were the only keys needed to protect our information.

Software companies now gather information to understand what users like; they record biometric information like fingerprints or heart rates; they listen to voice commands and track typing patterns.

The wealth of information they hold goes far beyond credit card numbers and encompasses who users are as individuals.

In many cases, social media profiles – used to authenticate applications and services across personal and professional environments – now represent much of a person’s digital identity.

It should be a priority to protect this information.

Next, it’s important to understand what companies are allowed to do with user information, and why caution and consent are important.

With new data regulation laws in place, companies now need to know what data they are collecting (especially when third parties are collecting it for them) and are required to be clear about what personal information they will share as a part of the consent process.

Setting and publishing a robust data privacy policy, including consent and strict scopes for what personal information can be collected, what it can be used for, and how long it can be kept for, is essential to being a responsible company in the digital age.

The consent process recognises and gives equal value to the two parties in this social contract: the individual deciding who can access their information, and the company using that information for commercial ends.

It’s worth noting that a business isn’t allowed to exclude users from their services if they don’t say yes to their terms; closing this ‘bully loophole’ is another safeguard needed to ensure consumer protections are upheld.

Last, it’s important to weigh up the benefits of using Facebook to access other services against the risks. The benefits of social authentication are clear: simple, secure verification for both the user and the app developer.

But social media companies have no commercial interest in protecting their consumers’ identity. Whether personal data is being given away or data being stolen, neither is acceptable.

Businesses and individuals alike should consider the vast amount of personal information that is held by different services and be mindful of what organisations are given access to.

Use consent with caution and consider alternate identity authentication methods for the foundation of your connected digital ecosystem (full transparency: Okta’s in the business of enterprise identity management).

There’s too much at stake when it comes to digital identity: it has become a commercial currency. Rather than letting Facebook and others be the custodians of personal data, users need to take back control.

With the dangers of not protecting information continuing to grow exponentially, it’s time to be serious about digital identity.

Link image
Driving cloud cost efficiency with performance monitoring
Cloud infrastructure sprawl sneaks up on organisations through a series of individual decisions that in aggregate become inefficient. Thomas Dittmer shares how performance monitoring helped TravelSupermarket reduce cloud costs by 50%More
Story image
Slack unveils new security features as remote working skyrockets
Slack has introduced new security features, integrations and certifications to its platform in response to growing security concerns as more people work remotely.More
Link image
Making SASE a reality with dynamic edge protection
Gartner’s Secure Access Service Edge (SASE) model for cloud-delivered security is a new paradigm – Forcepoint’s Dynamic Edge Protection is one of the first to take this paradigm and make it a reality. Find out more.More
Link image
How virtualisation has overhauled traditional HSM
Hardware security modules (HSMs) have undergone a drastic change since the inception of cloud computing. Here's how virtual HSMs can boost growth and security, compared with their predecessor.More
Story image
80% of security breaches involve exposure of customer data - IBM
The new report from IBM indicates that 80% of surveyed organisations reported having exposed customers’ personally identifiable information (PII) as a result of a breach.More
Story image
Cyber criminals turn to Gmail and AOL to advance attacks
“Securing oneself against this threat requires organisations to take protection matters into their own hands - this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests."More